Shibboleth Developers

[Velpi <>]

> > Another (probably silly) question: the new module uses the environment
> > variables. Since I'm doing proxy'ing I need it to fill the headers. Is
> > that an option that I missed or should that happen automatically? (it's
> > not doing that with my current config)
>
> Yeah, just do:
> ShibUseEnvironment Off
>
> The option will also exist in 1.3.1, just defaults the other way for
> compatibility.

GrEaT!

ShibUseEnvironment is an "OR_AUTHCFG" type:
"
A directive with the OR_AUTHCFG bit set may appear in the server-wide 
configuration files (e.g., httpd.conf) inside <Directory> or <Location> 
containers, and in .htaccess files when the scope is covered by an 
AllowOverride AuthConfig keyword.
"
So to use it 'globally' I need to make sure the global scope is covered 
by "AllowOverride AuthConfig". Is that possible? If not: great solution, 
but not extremely practical (alternative options?).

dev-discussion about https://bugs.internet2.edu/jira/browse/SSPCPP-22 : 
"attribute aliases not available anymore"
This creates a (the only I noticed so far) compatibility issue, but I 
agree that it should be encouragement to switch to the safer environment 
variables option. However it would be superb if we would be able to 
offer both methods at the same time. This will not only easy 
compatibilty, but will allow everybody to 'port' their applications 
piece-by-piece.
I'm a little afraid that it will be extremely difficult to say to our 
partners: "You really should upgrade to Shib2.0, it's safer and has neat 
functions like... PS: you need to adjust all your applications in that 
case." The ps will cause most people to respond with either a plain no 
or put it on hold for quite some time.

The best technical solution I see:
* "ShibUseEnvironment On" + "ShibUseHeaders On" (default On+Off)
* being able to define an attribute twice with different ID's in the 
attribute map (or something like that): this should solve a big pool of 
(future) compatibility problems.


-- Velpi